<%#
kind: snippet
name: remote_execution_ssh_keys
model: ProvisioningTemplate
snippet: true
description: |
  SSH keys setup snippet for Remote Execution plugin

  Parameters:

  remote_execution_ssh_keys: public keys to be put in ~/.ssh/authorized_keys

  remote_execution_ssh_user: user for which remote_execution_ssh_keys will be
                             authorized

  remote_execution_create_user: create user if it not already existing

  remote_execution_effective_user_method: method to switch from ssh user to
                                          effective user

  This template sets up SSH keys in any host so that as long as your public
  SSH key is in remote_execution_ssh_keys, you can SSH into a host. This
  works in combination with Remote Execution plugin by querying smart proxies
  to build an array.

  To use this snippet without the plugin provide the SSH keys as host parameter
  remote_execution_ssh_keys. It expects the same format like the authorized_keys
  file.
-%>

# Select package manager for the OS (sets the $PKG_MANAGER* variables)
if [ -z "$PKG_MANAGER" ]; then
<%= indent(2) { snippet 'pkg_manager' } -%>
fi

<% if !host_param('remote_execution_ssh_keys').blank? %>
<% ssh_user = host_param('remote_execution_ssh_user') || 'root' %>

user_exists=false
getent passwd <%= ssh_user %> >/dev/null 2>&1 && user_exists=true

<% if ssh_user != 'root' && host_param_true?('remote_execution_create_user') -%>
if ! $user_exists; then
  useradd -m <%= ssh_user %> && user_exists=true
fi
<% end -%>

if $user_exists; then
<% ssh_path = "~#{ssh_user}/.ssh" %>

  mkdir -p <%= ssh_path %>

  cat << EOF >> <%= ssh_path %>/authorized_keys
<%= host_param('remote_execution_ssh_keys').is_a?(String) ? host_param('remote_execution_ssh_keys') : host_param('remote_execution_ssh_keys').join("\n") %>
EOF

  chmod 0700 <%= ssh_path %>
  chmod 0600 <%= ssh_path %>/authorized_keys
  chown -R <%= "#{ssh_user}:" %> <%= ssh_path %>
<% if ssh_user != 'root' -%>
  chown -R <%= "#{ssh_user}:" %> <%= "~#{ssh_user}" %>
<% end -%>

  # Restore SELinux context with restorecon, if it's available:
  command -v restorecon && restorecon -RvF <%= ssh_path %> || true

<% if ssh_user != 'root' && host_param('remote_execution_effective_user_method') == 'sudo' -%>
if [ ! -x "$(command -v sudo)" ]; then
  $PKG_MANAGER_INSTALL sudo
fi
<% if @host.operatingsystem.family == 'Redhat' || @host.operatingsystem.family == 'Debian' -%>
echo "<%= ssh_user %> ALL = (ALL) NOPASSWD : ALL" > /etc/sudoers.d/<%= ssh_user %>
echo "Defaults:<%= ssh_user %> !requiretty" >> /etc/sudoers.d/<%= ssh_user %>
chmod 440 /etc/sudoers.d/<%= ssh_user %>
<% elsif @host.operatingsystem.family == 'Suse' -%>
echo "<%= ssh_user %> ALL = (ALL) NOPASSWD : ALL" >> /etc/sudoers
echo "Defaults:<%= ssh_user %> !targetpw" >> /etc/sudoers
chmod 440 /etc/sudoers.d/<%= ssh_user %>
<% end -%>
<% end -%>
else
  echo 'The remote_execution_ssh_user does not exist and remote_execution_create_user is not set to true.  remote_execution_ssh_keys snippet will not install keys'
fi
<% end -%>
